Kill Switches Come to Life

After a long, hot summer of costly software glitches and trading meltdowns in U.S. equity markets, the exchange community is looking for new ways to tackle market malfunctions at the urging of the Securities and Exchange Commission. Perhaps the most intuitive solution that emerged at the SEC’s market technology roundtable on October 2 was the idea of creating a so-called kill switch — an automated software program that would allow an exchange to suspend, or drop, order flow from a member firm or trading partner whose trades exceeded a preset risk limit.

The idea was initially presented to the SEC by a group of U.S. exchanges, broker-dealers and buy-side firms in a letter dated September 28, just days before the roundtable in Washington D.C. The signatories, who included seven exchange and clearinghouse executives (the letter was also endorsed by 16 banks, broker-dealers and buy-side firms), have joined forces to tackle market risk as members of an informal, industry-wide working group. Humbled — and alarmed — by the frequency and severity of some of the most recent trading glitches, the industry working group is developing solutions that could help backstop the risk parameters set by the exchanges’ own member firms and market makers.

Although the kill switch concept would not solve every market-infrastructure challenge in an age of lightning-fast, high-volume trade execution, says Eric Noll (who was one of the signatories on the letter to the SEC), executive vice president of transaction services in the U.S. and U.K. for the Nasdaq OMX Group, it would still be a valuable tool in the event of a problem emanating from a member firm’s trading software. “It would provide a failsafe means for the exchange to step in at the last minute, and — based on a predetermined metric — turn off a firm’s trading access, thus preventing software problems from doing any more damage, either to the firm itself or other participants in the marketplace,” he says.

The hazards of external software bugs setting off erroneous trading patterns became obvious this summer when Jersey City, New Jersey–based Knight Capital Group botched a trading-software upgrade on August 1 and reportedly activated a piece of dormant code. The rogue code sent a flurry of orders to the New York Stock Exchange that ultimately cost the firm $440 million. Unable to meet the costs of its trading fiasco, Knight had to be rescued from financial ruin by a consortium of Wall Street banks and trading competitors, including New York–based alternative asset management firm Blackstone, Chicago-based automated market maker Getco and New York–based investment bank Jefferies Group.

Knight wasn’t alone in its shame. A number of other firms suffered expensive, headline-grabbing technological glitches this year, including BATS Global Markets, which botched its own IPO in March, and Nasdaq, which suffered a very public market glitch during the launch of the Facebook IPO in May. Knight’s dilemma, which affected dozens of New York Stock Exchange–listed stocks and resulted in a surge of erroneous trades being executed, was among the most visible and damaging because the firm’s own risk controls were clearly insufficient to stop the orders flowing through to the exchange — and NYSE didn’t have any obvious way to help Knight address the problem, highlighting the need for an automated trading-suspension tool like a kill switch.

“You have to have a way of stopping chaos once it happens,” says Miranda Mizen, New York–based principal and director of equities research for market research firm TABB Group. “So conceptually, I think this [kill-switch idea] is a must.” Mizen is pleased by the way the exchanges are stepping up to the challenge, and starting to work together to protect market integrity more broadly, beyond their own business interests. “It’s not enough to say, well, my systems are working okay,” she says, “because a problem may be bigger than an individual market.”

Although kill switches could provide a powerful means of blocking erroneous trades, they would still have to be venue-specific in their initial rollout, Noll says. They would not be able to address anything happening in other markets or other types of securities. “Kill switches could not provide a holistic solution across multiple venues, multiple asset classes and multiple geographies,” he says, “but on the individual exchange level, they would be meaningful — and make sense.”

The operational structure of a kill-switch system has yet to be determined, but the working group’s letter spelled out one possible approach by suggesting that exchanges develop software that would track individual member firms’ “peak net notional exposure,” which would be calculated by adding net long positions with net short positions on an absolute basis per trading symbol. Working in conjunction with the exchanges, individual member firms would establish limits on their overall trading activity (or even categories of activity) within which they wanted to operate. The exchange’s software would then measure post-trade exposure on an automated basis, send warnings when trading activity encroached on those limits — and trigger suspension of trading if those limits were exceeded.

The addition of such preprogrammed trading limits would not preempt the work already being done by individual trading firms and broker-dealers to enhance their own risk management systems — it would merely supplement those efforts. “Many trading firms have their own versions of kill switches,” says one industry source, whose trading firm endorsed the September 28 letter, “but — in order for it to be failsafe — a backup at the exchange level would be very valuable.” He believes the key is to take a multilayered approach, not least because software glitches can cause unanticipated disruptions within technology systems.

“It’s possible, even for a very well-intentioned, well-managed trading firm to have a problem with the activation of its own internal kill switch if it is simultaneously experiencing a broader problem with its trading system,” he says. “When engineering systems become unstable, they can become unpredictable, so it would be good to have independent, external safeguards.”

In all likelihood, the exchanges will develop some form of kill-switch technology simply to protect their own businesses from the threat of disruption. Discussions are already underway with the exchanges’ member firms. Earlier this month, for example, Noll spent several days in Chicago, conducting meetings with Nasdaq’s trading clients to hear their views on kill switches and other exchange-level risk-management tools. The challenge, of course, will be to find a way to backstop the risk parameters of a single member’s trading activity — and suspend its activity if necessary — without disrupting markets further or adversely impacting order flow. The biggest concern in the trading industry is that, if designed incorrectly, these risk-management tools could create cascading activation of kill switches across trading venues and firms, driving liquidity out of the market just when that liquidity is most needed.

“Activating a kill switch could be akin to putting on the handbrake when you’re going down the highway,” says TABB’s Mizen. “But what happens to everyone else who is on that road? What happens to the order flow that is backing up behind it? Does it just spin off? Obviously, there are a number of warning systems that could be put in place, but — at the rate at which things happen these days — a warning is a luxury, not a normality, so different parties’ interests need to be balanced.”

Despite the challenges inherent to the project, the kill-switch concept seems to have gained considerable momentum within the industry over the past few weeks. The members of the working group continue to meet regularly, Noll says, with the aim of developing a market-led solution as a matter of urgency. No one wants to risk another Knight-style fiasco.